Cybersecurity Penetration

Testing on the Ethereum

Blockchain

This document contains proprietary information. Expressed written consent by Buglab Limited (“Buglab”)
is required for duplication or distribution of any content contained herein.
Table of Contents

4 Abstract

5 The Cybersecurity Market

7 Blockchain Security

8 Methods of Fighting Cyber Crime

9 Bug Bounty Programs

10 The BugLab Solution

10 Core Features of the Buglab Platform

12 Defining Requirements

14 Real-Time Reporting

15 Contest Details

17 Contest Scoring

18 Vulnerability Timestamp

19 Fix Companion

20 Money-Back Guarantee

20 Service Levels

21 Vigilante Protocol

23 Computer Emergency Response Teams

23 Assigning Pentester Status

24 The Buglab Vigilante Protocol Reserve

26 Buglab Transaction Reserve

28 The Buglab Token

31 Management Team

33 Advantages of Using the Blockchain to Reshape Pentesting

33 Legal Disclaimer
THIS DOCUMENT IS NOT A PROSPECTUS OF ANY SORT

THIS WHITEPAPER SETS FORTH A DESCRIPTION OF THE PLANNED BUGLAB PLATFORM (THE “BUGLAB
PLATFORM”) AND USE OF THE BUGLAB TOKEN (THE “BGL TOKEN”). THIS IS BEING PROVIDED FOR
INFORMATION PURPOSES ONLY AND IS NOT A BINDING LEGAL AGREEMENT. BGL TOKEN SALES WILL BE
GOVERNED BY A TOKEN PURCHASE AGREEMENT. IN THE EVENT OF A CONFLICT BETWEEN THE TOKEN
PURCHASE AGREEMENT AND THIS WHITEPAPER, THE TOKEN PURCHASE AGREEMENT GOVERNS.

THIS WHITEPAPER IS NOT AN OFFERING DOCUMENT OR PROSPECTUS, AND IS NOT INTENDED TO

PROVIDE THE BASIS OF ANY INVESTMENT DECISION OR CONTRACT.

Abstract
Today’s computing environment is dynamic and complex. Demand for
cybersecurity professionals exceeds supply as hackers develop ever more
advanced schemes that target countless companies, both large and small.

A 2017 Global Information Security

Workforce Study (GISWS) joint report
from Frost & Sullivan and the
Industry growing
International Information Systems

11%
Security Certifications Consortium, Inc.
(ISC)2 forecasted that the number of
unfilled job offers in cybersecurity will
surpass well over 1.5 million by 2020.
Demand resulting from IoT or other from $138 billion in 2017
smart technology implementations is to $232 billion in 2022.
likely part of this cybersecurity growth.

3
ABSTRACT

Gartner is predicting that information security will require $93 billion in

spending globally during 2018. Any type of company and just about any kind
of software could be at risk. When authentication isn’t tamper proof, or when
email or other private data are exposed, a company, whether large or small,
could be subject to legal action.

Buglab will offer a unique, competitive,
incentivized, and easy-to-use platform
to address this widespread and growing
business need. Buglab will assist
companies, whether in IT, financial
services, or in retail, to identify and
mitigate cybersecurity gaps they may
not (but should) know about.
The Buglab platform detects and
remedies vulnerabilities on various
business applications, websites, mobile
applications, Internet of Things (IoT)
devices , and smart contracts by
transforming penetration test services
into challenges, referred to as contests,
for a community of independent
information security consultants with
certified qualifications.

The solution makes cybersecurity services

accessible to even the very smallest
enterprises that typically lack both the
resource and budget to tackle cybersecurity
vulnerabilities using traditional means.

4
The Cybersecurity Market
Impacts on Return on Investment (ROI) are difficult to quantify, so it takes
time for companies to recognize the need for cybersecurity services.
For all-too-many enterprises, as well as
individuals with any digital assets on
their websites (content included), it
often takes a breach into their system
before they take action to shore up
security.
Corporations are often aware that their
levels of computer security fall short.
However finding and placing qualified
cybersecurity professionals is time
intensive and costly. Regulation
requirements to protect personal data
add another layer of complexity for
cybersecurity solutions.
According to a ETH Zurich conference
workshop, between now and 2025,
there will be more than 50 billion online
devices.
50 billion
ONLINE DEVICES BY
A significant portion of the information
stored across all of these ecosystems
will need protection. The cybersecurity
market is likely to grow non-linearly to
address needs in this space.
Meantime, the victims of cyber attacks
rarely advertise that they have been
targets, unless they must, and data
vulnerabilities are rarely first priority as
product gets rushed to market, so it is
difficult, if not impossible, to get
exhaustive statistics about cyberattacks
details, including their frequency or
their impact on ROI. However, one
aspect is absolutely certain: the trend is
decidedly on the rise, with some
widely-known geopolitical impacts.
2025
5
THE CYBERSECURITY MARKET
A standout case is that of the 2016 U.S.
presidential election campaign, when a
massive email leak cast a shadow over
the Democratic party in July 2016. Sen.
Hillary Clinton’s campaign was the
victim of a large-scale cyber attack that
not only put the Democratic party’s
electoral strategy in peril, but also
shaped the future of American politics.
In that July Reuters reported that a
“computer network used by Democratic
presidential nominee Hillary Clinton’s
campaign was hacked as part of a broad
cyber attack on Democratic political
organizations.” The article went onto
say that the attack “follows two other
hacks on the Democratic National
Committee, or DNC, and the party’s
fundraising committee for candidates
for the U.S. House of Representatives.”
… a massive breach
affected 500 million
accounts during 2014.
More recently, in May, 2017, emails and
documents were taken from the
mailboxes of several senior officials who
were a part of the then-future French
President Emmanuel Macron’s “En
Marche” political movement. Their
contents were exposed across social
media networks at the campaign’s final
hour.
There have also been countless,
wide-scale breaches of medical, financial,
and email data affecting small businesses
and individual users. Most readers have
seen their email or have known of a
personal website that’s gotten hacked.
The New York Times as well as other
media sources reported on Yahoo’s
disclosure that a massive breach affected
500 million accounts during 2014. An
earlier incident in 2013 compromised
some 3 billion users, that is all Yahoo
accounts, The Guardian and New York
Times, among other outlets reported. The
figure given out by Yahoo to the press was
originally 1 billion but was revised upward
several months later after further
investigation. Clearly, new methods to get
ahead of the hackers are needed.
6
Blockchain Security
The method offered by Buglab deploys expertise and smart contracts across
the blockchain.
A blockchain is a thread of digital
records across which different types of
data are stored. Together, these
distributed (or decentralized) records
make up a database similar to the pages
of a large ledger book. These virtual
ledgers are hosted across many servers,
which helps verify and authenticate any
given transaction. It is an intense
numerical process, across many
machines hosted by countless
participants, or miners. See also
Advantages of Using the Blockchain to
Reshape Pentesting.
Yet even on the blockchain, by design a
less vulnerable environment than
centralized systems, the appeal of
monetary gain in the blockchain
environment is enticing attackers.
The equivalent of nearly $8 million was
stolen from CoinDash in July 2017, all
within minutes of the ICO launch, it was
reported by CoinDesk, an industry
publication. CoinDash, which offered an
exchange platform for decentralized
trading, saw the digital assets syphoned
as a hacker simply took over CoinDash’s
official website and replaced the
corporate Ethereum address with his
own Ether wallet address.
Participants who believed they were
sending Ether to CoinDash, were in fact
sending them directly to the hacker.
A more recent case was the result of
compromised libraries at Parity Wallet.
About $300 million in Ether was locked
accidentally right after a fix was
implemented on a different
vulnerability. In the first case, a hacker
exploited a vulnerability and walked
with some $32 million. But the drama
didn’t end there. As Parity explained it,
“It is our current understanding that this
vulnerability was triggered accidentally
on 6th Nov 2017 ... a user deleted the
library-turned-into-wallet, wiping out
the library code which in turn rendered
all multi-sig contracts unusable and
funds frozen since their logic (any
state-modifying function) was inside the
library”. So, as of early November 2017,
those digital assets remained frozen.
There have certainly been other claims
of stolen assets. It’s an emerging
problem in a rapidly-changing industry.
As blockchain is an emerging
technology, few of the cases are widely
understood.
7
Methods of Fighting Cybercrime
Traditional options for fighting cybercrime are not feasible for small
businesses and organizations. The cost of two common strategies outlined
here rapidly becomes out of reach for all but large enterprises:

Penetration tests performed by a cybersecurity

consulting firm:

Requires that clients pay for the service in terms of total billable hours,
regardless of the test results. The majority of penetration tests performed
by consulting firms are done by one, maybe two pentesters. This means
that the client is only able to take advantage of the methodology and
skillset of two consultants.

Bug bounty challenges:

Information security researchers are paid on a per-vulnerability-uncovered

basis. Companies often end up getting charged to fix issues not entirely
consequential to their revenue or customers. This is described in more
detail in the next section.

Classic cybersecurity consulting companies themselves often only send

reports at the end of their research, often in a text-type format that is
difficult to get much out of (Word, Excel, PDFs, and the like).

8
METHODS OF FIGHTING CYBERCRIME

Bug Bounty Programs

When talking about crowdsourcing in cybersecurity, one immediately thinks

of bug bounty programs. These programs aren’t adapted to small and
medium businesses.

The first reason for this is cost.
Companies that rely on bug bounty
methods are often required to pay for
each vulnerability that’s reported. Since
many of these companies lack internal
infrastructure and/or software
development teams, they end up paying
to identify problems for which they lack
resources to fix. Obviously, this is an
inefficient way to correct vulnerabilities.
Secondly, the results obtained are not
always relevant to the client. When
using these bounty programs,
researchers are often able to rapidly
uncover a number of significant flaws,
without the requirement to do in-depth
research. They will easily achieve a
reward level based upon a total count
of issues discovered without necessarily
adding significant value for the client.

After receiving a costly bill and an

incomplete result, opportunities for
continuity and repeat business are lost.

9
The Buglab Solution
The Buglab platform links organizations that have information security
needs, which is just about all them, with a community of certified
cybersecurity penetration testers in an incentivized environment, where
testers are rewarded when they uncover system vulnerabilities, ranked by
severity and potential impacts. It’s done as a race against time. Importantly,
finding unique vulnerabilities is ranked above simply producing a list of
issues.

Core Features of the Buglab Platform

The Buglab platform enables customers to either use the mass of pentesters or choose
a validated team from a known company. Teams must include no fewer than five
pentesters.

A variety of customizations are available, specific to your organizational needs. Some of

the features envisioned are highlighted next.

Public Contest: Private Contest:

Once companies have provided basic
information and launched the
contest, the community receives a
public invitation to participate in the
competition.
Clients also have the option of
choosing a select number of
pentesters from the community or
choose a validated team from a
known cybersecurity firm to
complete the challenge.

10
THE BUGLAB SOLUTION

Selection Filters: Triage System:

Clients have the option during a Vulnerabilities reported go through

private challenge of selecting
pentesters using different filters.
These include country, score,
skillset, etc.
our sorting system to identify
duplicates before landing on the
customer’s dashboard. The
customer is guaranteed to only get
notified about relevant submissions.

Reports:
Self-Managed:
The company receives reporting on
The company can choose from three
their security contests. This feature
types of management (basic, pro,
summarizes each contest’s
and enterprise). In the case of the
performance and allows them to
latter, the client is responsible for
graphically compare the security
sorting, classifying and grading
status and progress of their assets.
reports.

Mediation: Leaderboard:
When a customer opts to manage
A dashboard offers ranking of
their challenge themselves, a
pentesters from the community
pentester from the community can
according to experience and results
ask for mediation from Buglab. This
on the platform. This provides
mediation may be required in the
greater visibility for the best
event that a pentester deems the
pentesters and makes it easier to
score or validation to be inaccurate.
select participants for a private
A Buglab team can obtain details
challenge.
regarding the cause of the
disagreement and evaluate it in an
impartial fashion.

11
THE BUGLAB SOLUTION

Chat: Fix Companion:

Every vulnerability report is a chance At the Enterprise level, Buglab will

to engage in conversation with verify that the fix has been
pentesters and to obtain their help implemented.
fixing it.

Defining Requirements

The list of potential use cases is quite long. Scenarios might include uncovering
malicious SQL injection, which routes database content to a hacker. A system may have
authentication bypass vulnerabilities. Sensitive company data may be unencrypted. File
uploads may not be protected. User sessions may be subject to takeover by malicious
entities. Perhaps the vulnerability is relatively straight-forward: for example, a company
may have insufficient login security. The Buglab strategy addresses these and other
vulnerabilities in a cost-effective manner to tackle cybercrime and its impact on the
bottom line.

The platform’s design offers multiple solutions against the threats of cybercrime. Using
either the Professional or Enterprise plans gives firms access to private teams. For
example, a penetration test contest might be closed to all but a preselected team,
depending upon the sensitivity of the data. Alternatively, a business may choose from
other packages to use an open contest model to address system vulnerabilities.

In either use case, our design provides a reward for identifying IT vulnerabilities, and
also forms the infrastructure to solve these issues. Because it takes the form of a
contest, whereby the client has constant access to penetration test results, it’s
real-time and cost effective.

12
THE BUGLAB SOLUTION

With its scoring system, Buglab

incentivizes each researcher to be the For a cybersecurity firm that
first to uncover the maximum number may require an internal team,
of significant vulnerabilities, and to the workflow would be similar
obtain the highest score, based upon a to the following:
grade attributed to each. This type of
scoring system encourages the
community to act in a manner that is 1. Pentester uploads proof of
experience, employment or
effective, thorough, and efficient.
otherwise.
Recommendations made by researchers
to mitigate vulnerabilities are also 2. Clicks Create Team in the
communicated to the client. Either the application. At least five members
pentester or Buglab itself can work are required to proceed.
directly with the customer on
3. Invites users who likewise need to
remediation.
upload ID, certifications, and
proof of experience.
Several options for privacy are available
depending upon the sensitivity of data. 4. The Buglab team reviews the
A company may choose a self-managed submittal.
contest if they require restricted access
5. If the project is accepted, a
to information. Even in the rare event of
company can then invite the
mediation, Buglab will not be able to
entire approved team.
view protected details on vulnerabilities
The contest is activated through
associated with a case unless the Buglab platform.
specifically invited.

By offering contests, Buglab caps user costs by charging a fixed price that features a
money-back guarantee in the event no vulnerabilities are detected. Within the
challenge or contest framework, community pentesters act independently (though on
the same project) to use their diverse technical skills to find and expose security flaws.
They are thus able to discover a large number of vulnerabilities in a short amount of
time. It’s an efficient model for uncovering cyber threats.

13
THE BUGLAB SOLUTION

Real-Time Reporting

Companies staff follow the contest as they unfold in real time to see
reported vulnerabilities and mitigation recommendations. They’ll have the
means of communicating with the pentesters for follow up. The platform
also can integrate with other reporting tools, at your company’s discretion.

The contest dashboard provides quick access to the progress made by researchers, the
type of vulnerabilities uncovered, and top contributors.

The dashboard also enables real-time interactions in a intuitive way to help clients
address the vulnerabilities with the help of the researchers or the Buglab team.

14
The Contest

Companies sign up on the platform and
provide information about themselves
and their products and services. Then,
thanks to a simple and user-friendly
interface, they subscribe to a
competition contract, whose rules they
define.
Clients are able to customize the
confidentiality1 of the competition, the
type of management they want, and the
level of compensation, which depends
upon the selected plan and an optional
bonus. As necessary, a Buglab team will
interact with customers to help them
set up program parameters.

1
As the contests can be self managed, only the client and pentester who found the bug will have access to vulnerability details.
Pentesters are bound by the Terms and Conditions required during signup to ensure ethical use of the data.
THE CONTEST

Based on the type of confidentiality2 Selection can be made according to

that has been selected, they can then several criteria, including a pentester’s
choose from a list of pentesters in the country, or their skill areas. The start
community. date is always determined by you.

The Buglab platform also assigns a Using the methods that Buglab offers,
proper match based upon the Buglab penetration testing follows a unique
recommendation engine. trajectory, as shown in the following
figure.

The scoring system encourages (that is, incentivizes) each pentester to be the first to
uncover a maximum amount of vulnerabilities, and to obtain the highest score. Each
vulnerability is assigned a score. An undiscovered issue gets a full score. Scoring for
duplicate entries factors in timestamp (to encourage early reporting of significant
vulnerabilities) and the number of pentesters. See also Vulnerability Timestamp.

2
Every pentester operates under the assumption that no vulnerability nor any details associated with a vulnerability
issue will be shared with any person or company aside from the customer/client, unless explicitly allowed by the client.
Sharing of any proprietary information is subject to client policy. Moreover, jurisdictional regulations with regards to
access to private data vary.
16
THE CONTEST

Contest Scoring

Upon the contest launch our community
of pentesters that have registered with
Buglab is notified. Our international
cybersecurity pentesters then analyze,
test, and report back on the
vulnerabilities of a solution directly on
the Buglab platform.
When the contest concludes, the role of
Buglab is limited to vulnerability scoring
and triage using the Common
Vulnerability Scoring System 3 (CVSS3)
standard described in Vulnerability
Timestamp. Pentesters are
compensated according to their rank in
the contest.

An example of the leaderboard is provided in the following screen.

In the event of a dispute, a Buglab internal team may act as a mediator to help clarify
unresolved issues. This could occur, for example, if scores are in dispute or the validity
of a vulnerability is in question.

17
THE CONTEST

Vulnerability Timestamp

Penetration test contests depend on the Vulnerability Timestamp (VTS) that

corresponds to the exact moment a vulnerability was reported.

It was necessary to set up a ranking For such cases, researchers obtain

system in order to be able to reward
the best researchers according to both
their overall score and timing. A
pentester’s overall score for a contest
is equal to the sum of all of the scores
they’ve received for uncovering a
vulnerability. The score for a
vulnerability is based on objective and
measurable criteria, thanks to CVSS3,
described in the previous section.
CVSS3 scores based on the speed with
which they were able to uncover the
vulnerability. The first to have done so
will receive full marks, and those that
follow will see their score diminish
according to their rank in time and the
number of pentesters who have
uncovered that same vulnerability.

Several pentesters working

● No timestamp can be fraudulently
independently from one another can
incorporated
discover the same vulnerability and
report it on Buglab’s platform at ● No timestamp can be modified
different moments in time, which after publication
results in duplicate reports, as shown
● All are available to be read (by all)
in the following screen.

In the event of duplication, Buglab can provide the means of verification of a score
assigned to a pentester, fully securely, without ever revealing any sensitive information
whatsoever

18
THE CONTEST
Fix Companion
At the Enterprise level, Buglab will
verify that the fix has been
implemented. Buglab will attempt to
verify (exploit) the vulnerability again.
When confirmed as fixed, a Buglab team
of analysts will update the status
accordingly in the platform. A “fix” can
be declined by Buglab to give the
company a chance to address the
vulnerability again. The company will be
allotted up to five attempts to address
the vulnerability issue.
Through the entire duration of the
challenge companies can chat with
pentesters and access reports, they will
be able to implement
recommendations to remedy the
vulnerabilities in real time. This is
especially useful if the vulnerabilities
and the associated fixes are time
sensitive. Companies need not wait until
the end of the contest to implement a
fix.
19
THE CONTEST

Money-Back Guarantee
At the end of the contest, if it turns out that our customer’s systems are free of
vulnerabilities, Buglab will automatically refund, using our smart contract, 90 percent of
the cost of the contest. The remaining ten percent are retained for the Vigilante
Protocol Reserve (VPR), as explained below in the section titled Vigilante Protocol.

Service Levels

For a fixed price, Buglab will organize penetration tests done by experts pre-approved
by our team. Highlights of the features with the three service levels are provided in the
following table.

FEATURES / PLANS BASIC PROFESSIONAL ENTERPRISE

Team management
Issue tracker integration
Reports analytics
Chat with pentesters
Public contests

Public & private contest

Invite pentesters
Search pentesters by expertise
Dedicated account manager
Bug reproduction

Bug triage & validation

Dublicate detection
Fix companion
Invite Security Teams

20
Vigilante Protocol
In addition to rolling out contests for
enterprises of varying scales, Buglab is
introducing a globally-integrated
hacking prevention program known as
the Buglab Vigilante Protocol. It’s a
system that allows whitehat researchers
to report on system vulnerabilities of a
company that isn’t one of our platform’s
customers.
We invite companies to reward the
whitehats in the form of optional tips or
gratuity when they discover flaws. It’s a
way for companies to obtain
recommendations for their solutions
from watchful guardians at little cost to
them.
VIGILANTE PROTOCOL

This protocol enables whitehats from the community as well as anonymous whitehat
users to report vulnerabilities in a secure and ethical way3 to companies that are not
Buglab customers4.

More information is provided in the next section.

A company can chose to give a whitehat an optional reward and/or order a contest. If a
company orders a contest, the whitehat will receive two percent of the service cost.
Buglab will recommend that the company invite this whitehat to participate, even if
he/she doesn’t have pentester status.

3
An ethical hacker’s role is similar to that of a penetration tester, but it involves broader issues. Aside from testing
duties, ethical hackers are often tasked with other responsibilities such as finding countermeasures to beef up the
system’s defenses.
4
Note that Buglab will report a vulnerability to the applicable CSIRT without attempting to exploit any vulnerability
discovered by the whitehat researcher.

22
VIGILANTE PROTOCOL
Computer Emergency Response Teams
Our Vigilante Protocol Smart Contract
enables communication of sensitive
information in a confidential and secure
manner through the applicable certified
national authorities, namely computer
security incident response teams
(CSIRT), which are administered by many
countries across the globe.
Assigning Pentester Status
For a whitehat to reach pentester status
and to be able to participate in the
various challenges, they must, when
signing up for the platform, furnish at
least one of the certifications that are
required by Buglab. Their account is
only approved once those requirements
have been validated. The two
mandatory requirements Buglab
employs for becoming pentester is ID
plus certification. Country of residence
is optional.
In addition to notifying the company in
question of a vulnerability, CSIRT and
Computer Emergency Response Teams
(CERT) will themselves have to triage
and score it. In return, once the
company marks a vulnerability as
resolved, the response teams will be
rewarded tokens that come out of the
Vigilante Protocol Reserve, as
partnerships are forged with Buglab.
Another way to achieve pentester
status is by participating in the Vigilante
Protocol in order to prove one’s abilities
and willingness to participate in our
preventative security strategy. Once
they’ve collected a total of 20 points, in
accordance with the CVSS3 grading
system, they will be able receive the
status and take part in the challenges.
23
VIGILANTE PROTOCOL

The Buglab Vigilante Protocol Reserve

The VPR has several functions. Its
purpose is in part to reward whitehat
researchers who contribute to the
Vigilante Protocol by drawing up
reports about vulnerabilities (once they
have been approved). It also allows
Buglab to compensate CSIRTs and
CERTs, who play an intermediary role.
Finally, it allows us to pay fees that are
inherent to the various transactions
performed on the Ethereum blockchain,
and more specifically regarding the
timestamping of vulnerabilities. The
VPR is initially funded with 20 percent
of the token allocation from the
crowdsale. Please refer to Buglab Token
Distribution Event for further details.

The Buglab VPR is funded in a continuous manner by

systematically acquiring ten percent of the tokens from the
following three different sources.

Ten percent of the contest cost:

When the contest begins, ten percent of the cost to launch the contest will be
automatically transferred into the VPR via the smart contract. This will be
automatically taken from the customer's payment. The customer has no control
no influence over this process.

Ten percent of any custom pentester reward:

When a verified pentester wins a customer run contest, the pentester will be
rewarded automatically through the smart contract.

24
VIGILANTE PROTOCOL

This is standard for all contests. However, at the end of the contest, the contest
owner also has the option to make additional payouts to pentesters who may not
have won, though rank near the top, and/or have identified significant
vulnerabilities. It may be the case that other submissions provide more thorough
and useful test vectors. The contest owner can choose to gift the close
competitors a discretionary amount of tokens. The VPR will automatically take
ten percent of these tokens.

Ten percent of any custom whitehat reward:

When a whitehat researcher discovers a vulnerability, if the product owner is not

a Buglab customer, the owner is encouraged to make a payment to the
researcher and/or begin a vulnerability contest with Buglab. Gratuity payments
to whitehat researchers will automatically include ten percent for transfer to the
VPR.

The VPR is summarized by the following simple formula.

Where VPRTDE is the (Token Distribution Event (TDE) allocation to the VPR, Ccontest is a customer’s
cost for a contest, Rcustom is any custom reward from a contest, Rwhitehat is any optional reward given
to a whitehat researcher by the concerned company, N is the total number of contests run so far,
and i is the contest number for the individual contest.

The equation above does not take into

consideration transaction fees and gas costs
spent making disbursements from the VPR,
as these would be paid from the Buglab
Transaction Reserve (BTR). This is described
in the next section.
Note: The ten percent taken from
each of the three sources above is
automatic and non-refundable. It will
always be transferred to the VPR in
order to keep it liquid.

25
VIGILANTE PROTOCOL

Buglab Transaction Reserve

Financial transactions made on the
blockchain by Buglab, in the regular
course of operation, will require
payment of transaction fees to miners
in order to get these transactions
included in the block.
This is a standard of the Ethereum
blockchain. In order to pay these fees,
Buglab will create a specific reserve,
described as the BTR.

After an initial allocation from the TDE, which is one percent, the reserve will
be funded with smart contracts by reserving:

One percent of the customer’s cost of each contest

One percent of all rewards provided during the contest

One percent of all rewards from the VPR

The Buglab Transaction Reserve will be In a future release of the Ethereum

a multi-signature wallet contract that
will hold BGL Tokens. When needed,
Buglab will convert a portion of these
tokens into Ether that can be used to
pay for the necessary transaction fees.
This wallet will require at least three of
five signatures to transfer tokens out
when making this conversion to Ether.
blockchain, it will be possible to use
ERC20 tokens directly for paying
transaction fees. When this becomes
possible, it will no longer be necessary
to convert these tokens to Ether

26
VIGILANTE PROTOCOL

At any given point in time, the BTR value is given by the following equation:

Where BTRTDE is the TDE allocation to the BTR, Ccontest is a customer’s cost for a contest,
Rcontest is a reward from a contest, RVPR is a reward from the VPR, Fpaid is the fees paid for
the transactions on a contest, N is the total number of contests run so far, and i is the
contest number for the individual contest.

The calculation above considers that

transaction fees are paid per contest,
but in practice, fees are likely to be
accumulated and reimbursed in a lump
sum (monthly or quarterly) back to the
original Buglab accounts that incurred
the fees in the first place.
Note: The one percent taken from
each of the three sources above is
automatic and non-refundable. It will
always be transferred to the BTR in
order to provide a supply of funds for
paying transaction fees on the
blockchain.

27
The Buglab Token

● To reward contest winners—allowable up

The Buglab token (BGL) is being
to the top three in rankings, or as
introduced to incentivize customized by the company.

penetration testing in the ● To cover the cost of a contest, including

transaction costs.
blockchain environment.
● To enable and tokenize “tipping”
In the context of the Buglab functionality for white hats.

experience, token exchange ● To fund both the VPR and BTR.

occurs in the following scenarios. ● To reward CERTs and CSIRTs for triaging
of vulnerabilities and help build new
partnerships.
THE BUGLAB TOKEN
Tokens can be transferred between two
parties over the Internet according to
the rules set within the contract that
holds the token. During the TDE, tokens
are pre-sold at a discount to users who
see value in the platform and anticipate
they will use the tokens to access the
platform when it is ready and generally
available for public use.
Contest
Activate Contests
Clients set up contest to fit
their pentesting needs and
allocate tokens as rewards
Secure Compensation
Pentesters are ranked based
on cumulative scores and
compensated in way that
secures private information
The BGL Token is based on the ERC20
standard for blockchain tokens. As
illustrated in the following figure, the
token will be required for all
transactions made within the
ecosystem, including ordering a contest.
Vigilante Protocol
Sustain Operation
The token taken from each
contest will flow back to
support CSIRT and CERT
operations globally
Reward White-Hat
Companies are invited to
reward BGLs to white-hats as
compensation via smart
contract
29
THE BUGLAB TOKEN

Most highly skilled penetration testers and whitehats don’t want to disclose their
financial information in order to receive payments, so by creating a token we are able to
attract those people. We also believe that this is the best solution for rewarding
whitehats who participate in the vigilante process as guests.

Token Distribution Event (“TDE”)

Buglab will be the creator and issuer of BGL and will deploy a smart contract
system to receive contributions and to create and issue BGL to contributors
during a TDE.

Full details of Buglab’s TGE are set out in Buglab’s TDE document (a copy of which can
be found at the “TDE Document”.

This whitepaper should be read in conjunction with the

TDE Document.

30
Management Team
We are united by our mission to help companies protect their digital
solutions.

Reda Cherqaoui
Founder, CEO

Having started at the young age of 16, Reda is a

veteran in the field of cybersecurity. Companies
that he has helped ranges from banks to
electronics manufacturers.

Youness Aamiri
Blockchain Developer

In addition to speaking Arabic, French and English,

Youness is also fluent in the script language of
HTML, CSS and PHP. Nowadays, he is focused on
building a blockchain ecosystem to reshape
pentesting.

Amine Bioudi
Full Stack Developer

With years of UI design experience, Amine is

passionate about building a platform to enable the
best possible user-product interaction.

31
MANAGEMENT TEAM

Azdine Bouhou
Software Architect

Azdine is a seasoned software designer with

experience in the field of insurance, legal and
notary. Fascinated by the potential of blockchain
technologies, he is now helping buglab build its
own platform.

Dalal Cherqaoui
Marketing and Communications Manager

Dalal is a marketing veteran with over 11 years in

global marketing groups such as TBWA and Ogilvy.
She is a creative storyteller that finds new ways to
engage with key stakeholders.

Herve Schauer
Advisor

With over 28 years of experience, Herve is

considered a pioneer for France’s IT security
industry. He currently heads his own firm, HSC,
which was acquired by Deloitte France in 2014.

32
Advantages of Using the
Blockchain to Reshape Pentesting
Characteristics of the ecosystem are highlighted in this section.

Disintermediation:
For a transaction to go into effect, it has to be approved by all the miners, which
verify the transaction’s validity. Only then can a transaction be incorporated into
network nodes on the blockchain. Adding new blocks requires a consensus
between the network’s players. This process renders control by a third party
obsolete.

Security:
The code for each new block is built on that of the block that precedes it in the
blockchain, in such a way that modifying a single block would involve changing all
of the blocks in the chain, which is impossible. Within a blockchain, the blocks as a
whole are replicated across nodes on the network, and don’t reside on an
individual single server. This decentralized architecture acts as a structural
defense against risks of data theft. The data on these blocks is protected by a
number of innovative cryptographic procedures, to prevent modification after
the fact.

Autonomy:
Within a blockchain, servers and supporting architecture are dispersed across the
network. The blockchain is ideally independent of third party services. Miners
allocate a portion of their machine’s powerful calculating power to compute
algorithms required to validate transactions. This work is rewarded. In the Buglab
contest, the first miner to validate a block wins tokens. This opportunity for
financial gain encourages powerful competition. For uncovering cybersecurity
threats, this method provides value to the client.

33
ADVANTAGES OF USING THE BLOCKCHAIN TO RESHAPE PENTESTING

Smart Contract:
A smart contract is an “If this, then that” logic. It verifies that the goal has been
met and then enables a digital transfer. The terms of the contract are not
changeable after the fact, although the parties involved still retain access. The
competitive nature of contests make them a crucial part of accelerating
exchanges. In this environment, pentesters will discover and communicate
vulnerabilities quickly.

Legal Disclaimer
As of the date of publication of this whitepaper,
BGL Tokens have no known potential uses outside
of the Buglab platform ecosystem. This whitepaper
does not constitute advice nor a recommendation
by Buglab, its officers, directors, managers,
employees, agents, advisors or consultants, or any
other person to any recipient of this document on
No promises of future performance or value are or
will be made with respect to BGL Tokens, including
no promise of inherent value, no promise of
continuing payments, and no guarantee that BGL
Tokens will hold any particular value.
Unless prospective participants fully understand

the merits of the participation in the TDE sale. and accept the nature of Buglab and the potential

Participation in the TDE carries substantial risks and risks inherent in BGL Tokens, they should not

may involve special risks that could lead to a loss of participate in the TDE. BGL Tokens are not being

all or a substantial portion of such investment.
Do not participate in the TDE unless you are
prepared to lose the entire amount you allocated to
purchasing BGL Tokens. BGL Tokens should not be
acquired for speculative or investment purposes
with the expectation of making a profit or
immediate resale.
structured or sold as securities. BGL Tokens are sold
as a functional good and all proceeds received by
Buglab may be spent freely by Buglab, absent any
conditions set out in this whitepaper. This
whitepaper is not a prospectus or disclosure
document and is not an offer to sell, nor a
solicitation of any offer to buy any investment or
financial instrument in any jurisdiction and should
not be treated or relied upon as one.

34
LEGAL DISCLAIMER
This whitepaper is for information only. Written
authorization is required for distribution of any or
all parts contained herein.
All information here that is forward looking is
speculative in nature and may change in response
to numerous outside forces, including technological
innovations, regulatory factors, and/or currency
fluctuations, including but not limited to the
market value of cryptocurrencies.
This whitepaper is for information purposes only
and is subject to change. Buglab cannot guarantee
the accuracy of the statements made or conclusions
reached in this document.
Buglab does not make and expressly disclaims all
representations and warranties (whether express
or implied by statute or otherwise) whatsoever,
including but not limited to:
● any representations or warranties relating
to merchantability, fitness for a particular
purpose, suitability, wage, title or
non-infringement;
● that the contents of this document are
accurate and free from any errors; and
● that such contents do not infringe upon
any third party rights. Buglab shall have no
liability for damages of any kind arising out
of the use, reference to or reliance on the
contents of this document, even if advised
of the possibility of such damages.
This whitepaper includes references to third party
data and industry publications.
Buglab believes that this industry data is accurate
and that its estimates and assumptions are
reasonable; however, there are no assurances as to
the accuracy or completeness of this data. Third
party sources generally state the information
contained therein has been obtained from sources
believed to be reliable; however, there are no
assurances as to the accuracy or completeness of
included information. Although the data are
believed to be reliable, Buglab has not
independently verified any of the data from third
party sources referred to in this whitepaper or
ascertained the underlying assumptions relied upon
by such sources.
Please note that Buglab is in the process of
undertaking a legal and regulatory analysis of the
functionality of its BGL Tokens. Following the
conclusion of this analysis, Buglab may decide to
amend the intended functionality of its BGL Tokens
in order to ensure compliance with any legal or
regulatory requirements to which we are subject. In
the event that Buglab decides to amend the
intended functionality of its BGL Tokens, Buglab
will update the relevant contents of this
whitepaper and upload the latest version of this to
its website.
Any BGL Tokens could be impacted by regulatory
action, including potential restrictions on the
ownership, use, or possession of such tokens.
Regulators or other circumstances may demand
that the mechanics of the BGL Tokens be altered,
all or in part. Buglab may revise mechanics to
comply with regulatory requirements or other
governmental or business obligations.
Nevertheless, Buglab believes they have taken all
commercially reasonable steps to ensure that its
planned mechanics are proper and in compliance
with currently considered regulations.
35
LEGAL DISCLAIMER
Caution Regarding Forward-looking Statements
This whitepaper contains forward-looking
statements or information (collectively
“forward-looking statements”) that relate to
Buglab’s current expectations and views of future
events. In some cases, these forward-looking
statements can be identified by words or phrases
such as “may”, “will”, “expect”, “anticipate”, “aim”,
“estimate”, “intend”, “plan”, “seek”, “believe”,
“potential”, “continue”, “is/are likely to” or the
negative of these terms, or other similar
expressions intended to identify forward-looking
statements. Buglab has based these
forward-looking statements on its current
expectations and projections about future events
and financial trends that it believes may affect its
financial condition, results of operations, business
strategy, financial needs, or the results of the TDE
or the value or price stability of the BGL Tokens.
In addition to statements relating to the matters
set out here, this whitepaper contains
forward-looking statements related to Buglab’s
proposed operating model. The model speaks to
its objectives only, and is not a forecast, projection
or prediction of future results of operations.
Forward-looking statements are based on certain
assumptions and analysis made by Buglab in light of
its experience and perception of historical trends,
current conditions and expected future
developments and other factors it believes are
appropriate, and are subject to risks and
uncertainties.
Although the forward-looking statements
contained in this whitepaper are based upon what
Buglab believes are reasonable assumptions, these
risks, uncertainties, assumptions, and other factors
could cause Buglab’s actual results, performance,
achievements, and experience to differ materially
from its expectations expressed, implied, or
perceived in forward-looking statements. Given
such risks, prospective participants in a TDE should
not place undue reliance on these forward-looking
statements. Risks and uncertainties include, but are
not limited to those identified in the Token Sale
Terms and Conditions. These are not a definitive list
of all factors associated with a making a
contribution to Buglab in connection with its
operations.
Buglab undertakes no obligation to update any
forward-looking statement to reflect events or
circumstances after the date of this whitepaper.
The Company’s business is subject to various laws
and regulations in the countries where it operates
or intends to operate. There is a risk that certain
activities of the Company may be deemed in
violation of any such law or regulation. Penalties for
any such potential violation would be unknown.
Additionally, changes in applicable laws or
regulations or evolving interpretations of existing
law could, in certain circumstances, result in
increased compliance costs or capital expenditures,
which could affect Buglab’s profitability, or impede
Buglab’s ability to carry on the business model and
the BGL Token model proposed in this whitepaper.
36